General

  • Target

    setup-9035d.exe

  • Size

    76KB

  • Sample

    241204-kpdlcsznhw

  • MD5

    433edb87db3a82d14ba7d88ba87d3503

  • SHA1

    bb2af0b83d7a55aa2d9ebd5e1d3d6f06f1fecc8c

  • SHA256

    7743183018de756ca03523c24561a2cb868fc69e63ba01f4ff854cc11c3115ba

  • SHA512

    858fe073ff5a015d4a51b8976d1e88dcb23504848fb07cc6f1cc5eeac6de91c615aa028de867f520b7bd59750f6a2633061aec96cf5766c18eda8103e16a0516

  • SSDEEP

    1536:O1e1/zEY3vnxkoig5PBVDVfEHbqZYkcJzR72eP72X4HKzkO7C7ZGhLW:Pr3fxTPLh+bYX497MCO72Y1W

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Setup-x9035d.exe

  • pastebin_url

    https://pastebin.com/raw/2zRWZhkX

Targets

    • Target

      setup-9035d.exe

    • Size

      76KB

    • MD5

      433edb87db3a82d14ba7d88ba87d3503

    • SHA1

      bb2af0b83d7a55aa2d9ebd5e1d3d6f06f1fecc8c

    • SHA256

      7743183018de756ca03523c24561a2cb868fc69e63ba01f4ff854cc11c3115ba

    • SHA512

      858fe073ff5a015d4a51b8976d1e88dcb23504848fb07cc6f1cc5eeac6de91c615aa028de867f520b7bd59750f6a2633061aec96cf5766c18eda8103e16a0516

    • SSDEEP

      1536:O1e1/zEY3vnxkoig5PBVDVfEHbqZYkcJzR72eP72X4HKzkO7C7ZGhLW:Pr3fxTPLh+bYX497MCO72Y1W

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks